AWS Security Blog

How to Switch Easily Between AWS Accounts by Using the AWS Management Console and AWS Directory Service

Earlier this year, the AWS Identity and Access Management (IAM) team announced support for the Switch Role feature, which allows your users to switch between accounts in the AWS Management Console. The benefit to your users is that they can switch accounts without being required to sign out and sign in for each account. In addition to being available for standard IAM users, this Switch Role functionality is available for federated users, including those in AWS Directory Service (Directory Service) directories Simple AD and AD Connector.

Directory Service allows you to grant directory users from an existing Microsoft Active Directory (AD) domain (via AD Connector) or Simple AD access to resources in your AWS account. Directory Service provides a customer-specific access URL for the AWS Management Console, which users can use to sign in with their existing corporate credentials. For more information about Directory Service, see our documentation.

This blog post will show how your federated users (via Simple AD or AD Connector) can sign in one time using their existing directory credentials and then easily switch between AWS accounts by using the AWS Management Console and Directory Service. 

Step 1: Set up your users, directory, and access URL

In order to follow along with this post, you will need to set up Simple AD or AD Connector. If you have not already set up Simple AD or connected to an existing directory using AD Connector, the following documentation includes the necessary steps:

Note: When your federated users sign in to the console, by default they sign in to the AWS account where your Simple AD or AD Connector resides. From there, your federated users can switch to another account to which they’ve been granted access. Because your federated users will always start in this default account, place Simple AD or AD Connector in the AWS account that makes the most sense.

You’ll also need an access URL for your Simple AD or AD Connector. If you haven’t already done so, here are the steps to create an access URL. The access URL is the endpoint that your federated users will use to sign in to the AWS Management Console. The format of the access URL looks like https://{examplecompany}.awsapps.com/console. In addition, console access for your directory must be enabled before you can continue to Step 2.

If console access is not already enabled, perform the following steps:

  1. In the AWS Directory Service console navigation pane, choose Directories.
  2. Click the directory ID link for your directory.
  3. In the Directory Details page, select the Apps & Services tab.
  4. In the Services area, click the Manage Access link for AWS Management Console.
  5. In the Enable AWS Management Console dialog box, click Enable Application. Console access is now enabled for your directory.

Step 2: Assign roles to directory users

After setting up your directory, identify the federated users to whom you’d like to give access to the AWS Management Console. Then, assign IAM roles to users in your directory by using the Directory Service console.

Step 3: Set up roles in external accounts

Create an IAM role in each additional account to which you want to provide access. See the blog post Enable a New Feature in the AWS Management Console: Cross-Account Access or the documentation page Creating a Role to Delegate Permissions to an IAM User to create a role for cross-account access.

After setting up your cross-account role, you can restrict which directory users can assume the role by editing the trust policy on the newly created role in the IAM console (see the following image).

Image of editing the trust relationship

You can use the following role template to configure the policy to grant access to specific directory users who can assume this role in the external account. Replace {directory-user-1} and {directory-user-2} with the full user names of the directory users to whom you wish to grant access. These users should have already been set up as described in Step 1 of this blog post. Directory user names are typically in the format of a short string like johndoe. You can name as many users as you’d like in this policy, as long as you don’t exceed the maximum role trust policy size of 2,048 bytes. The {directory-account-id} should already be in your trust policy from when you set up the role, but we recommend double-checking to ensure that it matches the AWS account ID in which you set up your directory.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{directory-account-id}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "aws:userid": [
            "*:{directory-user-1}",
            "*:{directory-user-2}"
          ]
        }
      }
    }
  ]
}

Step 4: Share login links

After you set up the role, you can copy the Switch Role link from the IAM console (see the following image) and distribute it to your federated users.

Image of the Switch Role link

When your users have the Switch Role URL, they can get started in two simple steps:

  1. Sign in to the AWS Management Console by using the Directory Service access URL that looks like https://{examplecompany}.awsapps.com/console.
  2. Paste the Switch Role URL into the address field of a browser. When the Switch Role page is displayed, click Switch.

Your federated users should now be in the new account and able to access AWS resources with the privileges of the IAM role they assumed, as shown in the following image.

Image of the Switch Role drop-down menu

The account and role associated with the specific Switch Role URL are listed in the console drop-down menu for quick switching in the future.

Conclusion

This blog post has shown how your federated users (via Simple AD or AD Connector) can sign in one time using their existing directory credentials and then easily switch between AWS accounts by using the AWS Management Console and Directory Service. This eliminates the need to maintain a separate set of credentials per user per AWS account, simplifying access management for all of your AWS accounts.

We’d love to hear more about how you are using Directory Service with IAM, and welcome any feedback about how we can improve the experience. You can post comments below, or visit the Directory Service forum to post comments and questions.

– Rob

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.